Re: Code Red gone to sleep?

[Ryan Russell <ryan () securityfocus com>]

On Tue, 2 Oct 2001, Jay D. Dyson wrote:

>       We were discussing on the Early Bird Developers list that none of
> us have seen any Code Red scans since September 30th.  This can only mean
> one of four things:
<SNIP>

This is due to dates built into CodeRed II.  CodeRed II killed off CodeRed
I by periodically rebooting the victim.  They use the same entry method,
so presumably the victim base is approximately the same.  CodeRedII is
then designed to die off when Oct 1 rolls around (UTC).

CR1 now has an opportunity to come back if there are any infections left,
or if someone reinjects a copy.  None of the anti-CodeRed worms seem to
have had any success spreading, so the only way the original ISAPI
overflow vulnerability is gone is if people have patched their boxes.  I'm
sure many have, but I wouldn't be willing to bet that all of them have.

The first time around, CRv1 took several days to reach critical mass
before the world noticed.  With a smaller victim pool, it would take even
longer.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com